arXiv: 1503.02261 vl [cs.CR] 8 Mar 2015 


Attack Trees with Sequential Conjunction* 


Ravi Jhawar 1 , Barbara Kordy 2 , Sjouke Mauw 1 , Sasa Radomirovic 3 , 
Rolando Trujillo-Rasua 1 

1 University of Luxembourg, SnT, Luxembourg 
2 INSA Rennes, IRISA, France 

3 Inst, of Information Security, Dept, of Computer Science, ETH Zurich, Switzerland 


Abstract. We provide the first formal foundation of SAND attack trees 
which are a popular extension of the well-known attack trees. The SAND at¬ 
tack tree formalism increases the expressivity of attack trees by intro¬ 
ducing the sequential conjunctive operator SAND. This operator enables 
the modeling of ordered events. 

We give a semantics to SAND attack trees by interpreting them as sets 
of series-parallel graphs and propose a complete axiomatization of this 
semantics. We define normal forms for SAND attack trees and a term 
rewriting system which allows identification of semantically equivalent 
trees. Finally, we formalize how to quantitatively analyze SAND attack 
trees using attributes. 
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1 Introduction 

Attack trees allow for an effective security analysis by systematically organizing 
the different ways in which a system can be attacked into a tree. The root node 
of an attack tree represents the attacker’s goal and the children of a given node 
represent its refinement into sub-goals. A refinement is typically either disjunctive 
(denoted by OR) or conjunctive (denoted by AND). The leaves of an attack tree 
represent the attacker’s actions and are called basic actions. 

Since their inception by Schneier |26] , attack trees have quickly become a 
popular modeling tool for security analysts. However, the limitations of this for¬ 
malism, in particular with respect to expressing the order in which the various 
attack steps are executed, have been recognized by many authors (see e.g., El)- 
In practice, modeling of security scenarios often requires constructs where con¬ 
ditions on the execution order of the attack components can be clearly specified. 
This is for instance the case when the time or (conditional) probability of an 
attack is considered, as in 029]. Consequently, several studies have extended 
attack trees informally with sequential conjunctive refinements. Such extensions 
have resulted in improved modeling and analyses (e.g., 129121 1301 ) and software 
tools, e.g., ATSyRA |32]. 


This is an extended version of |8]. 







Even though the sequential conjunctive refinement, that we denote by SAND, 
is well understood at a conceptual level and even applied to real world scenar¬ 
ios [22], none of the existing solutions have provided a rigorous mathematical 
formalization of attack trees with SAND. Indeed, the extensions found in the lit¬ 
erature are rather diverse in terms of application domain, interpretation, and 
formality. Thereby, it is infeasible to answer fundamental questions such as: 
What is the precise expressibility of SAND attack trees? When do two such trees 
represent the same security scenario? Or what type of attributes can be syn¬ 
thesized on SAND attack trees in the standard bottom-up way? These questions 
can only be precisely answered if SAND attack trees are provided with a formal, 
general, and explicit interpretation, that is to say, if SAND attack trees are given 
a formal foundation. 


Contributions: In this article we formalize the meaning of a SAND attack tree 
by defining its semantics. Our semantics is based on series-parallel (SP) graphs, 
which is a well-studied branch of graph theory. We provide a complete axioma- 
tization for the SP semantics and show that the SP semantics for SAND attack 
trees are a conservative extension of the multiset semantics for standard attack 
trees m (i-e., our extension does not introduce unexpected equivalences w.r.t. 
the multiset semantics). To do so, we define a term rewriting system that is 
terminating and confluent and obtain normal forms for SAND attack trees. As a 
consequence, we achieve the rather surprising result that the domains of SAND 
attack trees and sets of SP graphs are isomorphic. We also extend the notion of 
attributes for SAND attack trees which enable the quantitative analysis of attack 
scenarios using the standard bottom-up evaluation algorithm. 


One of the goals of our work is to provide a level of abstraction that encom¬ 
passes most of the existing approaches from literature. For example, operators, 
such as the priority-based and the time-based connectors [28], are indeed cap¬ 
tured by the SAND operator defined in this article. Moreover, other published se¬ 
mantics, such as those based on cumulative distribution functions [2], conditional 
probabilities ESJ, or boolean algebra m, can be expressed as an attribute in 
our formalism. Last but not least, even though we make the distinction between 
AND and SAND refinements explicit, our semantics satisfies backward compatibil¬ 
ity with the well-known multiset semantics of attack trees [Tgj. This stresses the, 
much needed, unifying character of our approach. 


Organization: Section [2] summarizes the related work and puts our work in con¬ 
text. Section [3] provides a formal definition of SAND attack trees and its seman¬ 
tics using series-parallel graphs. Section [4] defines a complete set of axioms for 
SAND attack trees and presents a term rewriting system which allows identifica¬ 
tion of semantically equivalent SAND attack trees. Section [5] outlines an approach 
to quantitatively analyze SAND attack trees using attributes. Finally, Section [6] 
concludes with an outlook on future work. 
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2 Related Work and Motivation 


Several extensions of attack trees with temporal or causal dependencies between 
attack steps have been proposed. We observe that there are three different ap¬ 
proaches to achieve this goal. The first approach is to use standard attack trees 
with the added assumption that the children of an AND node are sequentially 
ordered. This approach is mostly applied to the design of algorithms or tools for 
the analysis of attack trees under the assumption of ordered events. 

The second approach is to introduce a mechanism for ordering events in an 
attack tree, for instance by adding a new type of edge to express causality or 
conditionality. In its most general case, any partial order on the events in an 
attack tree can be specified. The third approach consists of the introduction of 
a new type of node for sequencing. Most extensions fall in this category. This 
approach is used by authors who require their formalism to be backward compat¬ 
ible, or who need standard, as well as ordered conjunction. We discuss for each 
of these approaches the most relevant papers with respect to the present article. 
That is, we only consider approaches that still have the main characteristics of 
attack trees, being the presence of AND and OR nodes and the interpretation of 
the edges as a refinement relation. Thus, we consider approaches such as attack 
graphs pnrgj and Bayesian networks j23lffH?| as out of scope for this paper. 


Approaches with a sequential interpretation of AND. In their work on 
Bayesian networks for security , Qin and Lee define a transformation from attack 
trees to Bayesian networks [23]. They state that “there always exists an implicit 
dependent and sequential relationship between AND nodes in an attack tree.” 
Most literature on attack trees seem to contradict this statement, implying that 
there is a need to explicitly identify such sequential relationships. 

Jiirgenson and Willemson developed an algorithm to calculate the expected 
outcome of an attack tree m ■ The goal of the algorithm is to determine a 
permutation of leaves for which the optimal expected outcome for an attacker can 
be achieved. In essence, their input is an attack tree where an AND node represents 
all possible sequences of its children. A peculiarity of their interpretation is that 
multiple occurrences of the same node are considered only once, implying that 
the execution of twice the same action cannot be expressed. 


Approaches introducing a general order. Peine, Jawurek, and Mandel in¬ 
troduce security goal indicator trees [ 20] in which nodes can be related by a 
notion of conditional dependency and Boolean connectors. The authors, how¬ 
ever, do not formally specify the syntax and semantics of the model. A more 
general approach is proposed by Pietre-Cambacedes and Bouissou [21], who ap¬ 
ply Boolean logic driven Markov processes to security modeling. Their formalism 
does not introduce new gates, but a (trigger-)relation on the nodes of the attack 
tree. Although triggers can express a more general sequential relation than the 
SAND operator, they lack the readability of standard attack tree operators. 
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Vulnerability cause graphs |1|4] combine properties of attack trees (AND and 
OR nodes) and attack graphs (edges express order rather than refinement). The 
interaction between the AND nodes and the order relation is defined through a 
graph transformation called conversion of conjunctions, which ignores the or¬ 
der between nodes. This discrepancy could be solved by considering distinct 
conjunctive and sequential conjunctive nodes, as we do in this paper. 


Approaches introducing sequential AND. As noted by Arnold et al. [2], the 

analysis of time-dependent attacks requires attack trees to be extended with a 
sequential operator. This is accomplished by defining sequential nodes as con¬ 
junctive nodes with a notion of progress of time. The authors define a formal 
semantics for this extension based on cumulative distribution functions (CDFs), 
where a CDF denotes the probability that a successful attack occurs within time 
t. The main difference with our work is that their approach is based on an ex¬ 
plicit notion of time, while we have a more abstract approach based on causality. 
In their semantics, the meaning of an extended attack tree is a CDF, in which 
the relation to the individual basic attacks is not explicit anymore. In contrast, 
in our semantics the individual basic attacks and their causal ordering remain 
visible. As such, our semantics can be considered more abstract, and indeed, we 
can formulate their semantics as an attribute in our approach. 

Enhanced attack trees 0 (EATs) distinguish between OR, AND and OAND (Or¬ 
dered AND). Similarly to the approach of Arnold et al. [2], ordered AND nodes are 
used to express temporal dependencies between attack components. The authors 
evaluate EATs by transforming them into tree automata. Intermediate states in 
the automaton support the task of reporting partial attacks. However, because 
every intermediate node of the tree corresponds to a state in the tree automaton, 
their approach does not scale well. This problem can be addressed by considering 
the normal form of attack trees, as proposed in this article. 

Not every extension of attack trees with SAND refinements concerns time- 
dependent attack scenarios; some aim at supporting risk analyses with condi¬ 
tional probabilities. For that purpose, Wen-Ping and Wei-Min introduce im¬ 
proved attack trees (2P1 • The concepts, however, are described at an intuitive 
level only. 

Unified parameterizable attack trees [2§| unify different extensions of attack 
trees (structural, computational, and hybrid). The authors consider two types 
of ordered AND connectors: priority-based connectors and time-based connectors. 
The children of the former are ordered from highest to lowest priority, whereas 
the children of the latter are ordered temporally. Our formalism gives a single 
interpretation to the SAND operator, yet it can capture both connectors. 

Due to obvious similarities, we also review approaches that introduce the 
SAND operator in fault trees. For example, Brooke and Paige include five fault 
tree gates: AND, OR, priority AND, exclusive OR, and an inhibit gate [2- The authors 
do not discuss the semantics of their model for security, though. Another fault 
tree based approach is discussed by Khand nni, who proposes to extend attack 
trees with a set of gates from dynamical fault tree modeling that overlaps with 
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the gates used by Brooke and Paige [3] and in particular contains the priority 
AND gate. Khand assigns truth values to his attack trees by giving truth tables 
for all gates. Khand’s truth tables, when restricted to AND, OR, and priority AND, 
constitute an attribute domain which is compatible (in the sense of m) with 
the SP semantics for SAND attack trees as defined in this paper. 

We observe that the extensions of attack trees with sequential conjunction 
are rather diverse in terms of application domain, interpretation, and formality. 
In order to give a clear and unambiguous interpretation of the SAND operator and 
capture different application domains, it is necessary to give a formal semantics 
as a translation to a well-understood domain. Note that, neither the multiset m 
nor the propositional semantics m can express ordering of attack components. 
Therefore, a richer semantical domain needs to be defined. The purpose of this 
article is to address this problem. 

3 Attack Trees with Sequential Conjunction 

We extend the attack tree formalism so that a refinement of a (sub-) goal of an 
attacker can be a sequential conjunct (denoted by SAND) in addition to disjuncts 
and conjuncts. We first give a definition of attack trees with the new sequential 
operator and then define series-parallel graphs on which the semantics for the 
new attack trees is based. 


3.1 SAND Attack Trees 

Let B denote the set of all possible basic actions of an attacker. We formalize 
standard attack trees introduced by Schneier in [261 and call them simply attack 
trees in the rest of this paper. Attack trees are closed terms over the signature 
B U {OR, AND}, generated by the following grammar, where b £ B is a terminal 
symbol. 

t::=b | 0R(i,... ,t) | AND (t,...,t). (1) 

The universe of attack trees is denoted by T. SAND attack trees are closed terms 
over the signature BU{0R, AND, SAND}, where SAND is a non-commutative operator 
called sequential conjunction, and are generated by the grammar 

t::=b | 0R(£, ...,£) | AND (t, ...,£) | SAND(f, ...,£). (2) 

The universe of SAND attack trees is denoted by T S and- The purpose of OR and AND 
refinements in SAND attack trees is the same as in attack trees. The sequential 
conjunctive refinement SAND allows us to model that a certain goal is reached if 
and only if all its subgoals are reached in a precise order. 

The following attack scenario motivates the need for extending attack trees 
with sequential conjunctive refinement. 

Example 1. Consider a file server S, offering ftp, ssh, and rsh services. The 
attack tree in Figure |T] shows how an attacker can gain root privileges on 
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become root 



no-auth 


auth 




gain user privileges 


lobf 


ssh 


rsa 



/\ OR 


/\ AND /\ SAND 


ftp 


rsh 


Fig. 1 . An attack tree with sequential and parallel conjunctions 


S ( become root), in two ways: either without providing any user credentials 
( no-auth ) or by breaching the authentication mechanism (auth). 

In the first case, the attacker must first gain user privileges on S (gain user 
privileges) and then perform a local buffer overflow attack (lobf). Since the attack 
steps must be executed in this particular order, the use of SAND refinement is 
substantial. To gain user privileges, the attacker must exploit an ftp vulnerability 
to anonymously upload a list of trusted hosts to S (/tp)j^j Finally, she can use 
the new trust condition to remotely execute shell commands on S (rsh). 

The second way is to abuse a buffer overflow in both the ssh daemon (ssh) 
and the RSAREF2 library (rsa) used for authentication. These attacks can be 
executed in any order, which is modeled with the standard AND refinement. 

Using the term notation introduced in this section, we can represent the SAND 
attack tree in Figure |T] as 



'>) 


OR.) SAND(SAND(/fp, rsh), lobf), AND (ssh, rsa 


where ftp, rsh, lobf, ssh, rsa £ B are basic actions. 

3.2 Series-Parallel Graphs 

A series-parallel graph (SP graph) is an edge-labeled directed graph that has 
two unique, distinct vertices, called source and sink, and that can be constructed 
with the two operators for sequential and parallel composition of graphs that we 
formally define below. A source is a vertex which has no incoming edges and a 
sink is a vertex without outgoing edges. 

Our formal definition of SP graphs is based on multisets, i.e., sets in which 
members are allowed to occur more than once. We use {•{■to denote multisets and 
V(-) to denote powersets. The support M* of a multiset M is the set of distinct 
elements in M. For instance, the support of the multiset M = -J&i, 62 ,^ 2 } is 
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For readability, attack actions are named after the services that are exploited. 
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In order to define SP graphs, we first introduce the notion of source-sink 
graphs labeled by the elements of B. 

Definition 1. A source-sink graph over B is a tuple G = ( V, E, s, z), where V is 
the set of vertices, E is a multiset of labeled edges with support E* C V x B x V , 
s £ V is the unique source, z £ V is the unique sink, and s ^ z. 

The sequential composition of a source-sink graph G = (V, E, s , z) with a source- 
sink graph G' = (V', E', s', z'), denoted by G ■ G', is the graph resulting from 
taking the disjoint union of G and G' and identifying the sink of G with the 
source of G'. More precisely, let U denote the disjoint union operator and mb/d 
denote the multiset of edges in E, where all occurrences of vertex 2 are replaced 
by vertex s. Then we define 

G-G’ = (V \ {z}OV, E^'/^GE', s, z'). 


The parallel composition, denoted by G || G', is defined similarly, except that 
the two sources are identified and the two sinks are identified. Formally, we have 

G || G’ = {V \ {s, z}GV', E [s ' /s ’ z ' /z] GE', s', z'). 

It follows directly from the definitions that the sequential composition is asso¬ 
ciative and that the parallel composition is associative and commutative. 

We write \ for the graph with a single edge labeled with b and define SP 
graphs as follows. 

Definition 2. The set G sp of series-parallel graphs (SP graphs) over B is de¬ 
fined inductively by the following two rules 

— For b £ B, A is an SP graph. 

— If G and G' are SP graphs, then so are G ■ G' and G || G'. 

It follows directly from Definition [2] that SP graphs are connected and acyclic. 
Moreover, every vertex of an SP graph lies on a path from the source to the sink. 
We consider two SP graphs to be equal if there is a bijection between their sets 
of vertices that preserves the edges and edge labels. 

Example 2. Figure [2] shows an example of an SP graph with the source s and 
the sink 2. This graph corresponds to the construction 

(4|pH|4).4.((A.(4||4)) ||4). 


3.3 SP Semantics for SAND Attack Trees 

Numerous semantics have been proposed to interpret attack trees, including 
propositional logic HD, multisets ns , De Morgan lattices C3, tree automata [5], 
and Markov processes mm- The choice of a semantics allows us to accurately 
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Fig. 2. A series-parallel graph 


represent the assumptions made in a security scenario, e.g., whether actions can 
be repeated or resources reused, and to decide which trees represent the same 
security scenario. The advantages of formalizing attack trees and the need for 
various semantics have been discussed in |13j. Since attack trees are AND/OR trees, 
the most natural interpretation is based on propositional logic. However, because 
the logical operators are idempotent, this interpretation assumes that the mul¬ 
tiplicity of an action is irrelevant. As a consequence, the propositional semantics 
is not well suited to reason about scenarios with multiple occurrences of the 
same action. Due to this lack of expressivity a semantics was proposed |18| in 
which the multiplicity of actions is taken into account. This was achieved by 
interpreting an attack tree as a set of multisets that represent different ways of 
reaching the root goal. This multiset semantics is compatible with computations 
that depend on the number of occurrences of an action in the tree, such as the 
minimal time to carry out the attack represented by the root goal. 

We now extend the multiset semantics to SAND attack trees. Since SP graphs 
naturally extend multisets with a partial order, they supply a formalism in which 
we can interpret trees using both — commutative and sequential — conjunctive 
refinements. SP graphs therefore provide a canonical semantics for SAND trees 
in which multiplicity and ordering of goals and actions are significant. The idea 
is to interpret an attack tree f as a set of SP graphs. The semantics [tflsp = 
{G\ 1 ... ,Gk} of a tree t corresponds to the set of possible attacks Gi, where 
each attack is described by an SP graph labeled by the basic actions of t. 

Definition 3. The SP semantics for SAND attack trees is given by the function 
[■]sp : T S and —t V(Gsp), which is defined recursively as follows: for b £ B, 
ti £ Tsand, 1 <i<k, 

Hsp = {-^} 

[0 R(fi,..., t k )jsp = Utl Msp 

[AND(fi,..., ffc)]sp = {Gi || ... || Gk | (Gi,..., Gfc) £ [Gjsp x x pfcjsp} 
[SAND(ti, • • • ,ffc)]sp = {Gi • ... • Gfc | (Gi,...,Gfc) £ [fi]sp x ... x [ffcflsp}. 

The SP semantics maps SAND attack trees to sets of SP graphs as follows. A leaf 
corresponding to a basic action b is translated into a singleton set containing 
the SP graph which consists of a single edge labeled with b. The semantics 
of a disjunctive node is the set of all the alternative attacks described by the 
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node’s children. The semantics of a conjunctive node is the parallel composition 
of every attack alternative from each of its children. Finally, the semantics of 
a sequential conjunctive node is a sequential composition of attack alternatives 
for the children. 

Example 3. The SP semantics of the attack tree t depicted in Figure [I] is 

W r ftp rsh lobf ssh ,, rsa 

sp = { —— > —> > — HI —>}• 

As shown in Example [3] the SP semantics provides an alternative graph rep¬ 
resentation for attack trees and therefore contributes a different perspective on 
an attack scenario. The SAND attack tree emphasizes the refinement of goals, 
whereas SP graphs highlight the sequential aspect of attacks. 

The SP semantics provides a natural partition of T S and into equivalence 
classes. 

Definition 4. Two SAND attack trees t\ and t 2 are equivalent with respect to 
the SP semantics if and only if they are interpreted by the same set of SP graphs, 
i.e., [tiflsp = p 2 lsp- 

By Definition |4j if the SP semantics provides accurate assumptions for an attack 
scenario, then two SAND attack trees represent the same attack scenario if and 
only if they are equivalent with respect to the SP semantics. 

We finish this section by noticing that in the case of SAND attack trees without 
any SAND refinement, the SP semantics coincides with the multiset semantics 
introduced in m■ Indeed, it suffices to identify the multiset |f>i,..., bp} with 


the SP graph 


b i. 


bk. 


We discuss this issue more in details in Section 


4.3 


4 Axiomatization of the SP Semantics 

In order to provide efficient analysis methods for attack tree-like models, we need 
to be able to decide whether two trees are equivalent with respect to a given 
semantics. Ideally, we would like to find the most efficient (e.g., the smallest) 
representation of a given security scenario. However, in the case of the SAND 
semantics, there exists an infinite number of trees t' equivalent to a given tree t. 

In this section we study the mathematical implications of using sets of SP 
graphs as an interpretation domain for SAND attack trees. We introduce an axiom¬ 
atization of SAND attack trees which is complete with respect to the SP semantics. 
This allows us to reason directly on SAND attack trees, without having to move 
to the semantical domain. Further, we derive a term rewriting system from the 
axiomatization as a means to effectively decide whether two SAND attack trees 
are equivalent with respect to the SP semantics. As a consequence, we obtain a 
canonical representation of SAND attack trees which we prove to be isomorphic 
to sets of SP graphs. 
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4.1 A complete set of axioms for the SP semantics 

Let Y be a set of variables denoted by capital letters. Following the approach 
developed in m, we axiomatize SAND attack trees with equations l = r, where 
l and r are terms over variables in V, constants in B, and the operators AND, OR, 
and SAND. The equations formalize the intended properties of refinements and 
provide semantics-preserving transformations of SAND attack trees. 

Example 4- Let Sym £ denote the set of all bijections from {1,... ,£} to itself. 
The axiom 

AND(Y!, ...,Y e ) = AND (y ff(1) , . . . , 

expresses that the order between children refining a parallel conjunctive node is 
not relevant. In other words, the operator AND is commutative. This implies that 
any two trees of the form AND(fi,... , tj) and AND(f <T ( 1 j,..., ^o-(Z)) represent the 
same scenario. 

Our goal is to define a complete set of axioms, denoted by Eg-p, for the SP 
semantics for SAND attack trees. Intuitively, Egp is a set of equations that can 
be applied to transform a SAND attack tree into any equivalent SAND attack tree 
with respect to the SP semantics. Before defining the set Egp, we formalize the 
notion of a complete set of axioms for a given semantics for (SAND) attack trees, 
following m- 

Let T(V, E) be the free term algebra over the set of variables V and a signa¬ 
ture E , and let E be a set of equations over T(V, E). The equation t = t', where 
t, t' £ T(Y, E), is a syntactic consequence of E (denoted by E b t = t') if it can 
be derived from E by application of the following rules. For all t, t',t” £ TYV, E), 
p: V— >T(V,E), and A e Y: 

— E h t = t, 

— if t = tf £ E, then E b t = t ', 

— if E h t = t' , then E h t' = t, 

— if E h t = t' and E h t' = t", then E b t = t". 

— if E h t = t' , then E h p(t) = p(t'), 

— if E h t = t', then E h t"[t/X\ = t"[t'/X], where t"[t/X\ is the term 

obtained from t" by replacing all occurrences of variable X with t. 

Let Tj AMD denote the set of terms constructed from the set of variables V, the 
set of basic actions B (treated as constants), and operators OR, AND and SAND. Let 
T v be the set of terms constructed from the same parts, except for the operator 
SAND. Using the notion of syntactic consequence, we define a complete set of 
axioms for a semantics for attack trees. 

Definition 5. Let [•] be a semantics for attack trees ( resp . SAND attack trees) 
and let E be a set of equations over T v (resp. Tj AMD/ ). The set E is a complete 
set of axioms for [■] if and only if for all t,t' £ T (resp. T S and^ 

M = 11*1 «=► E b t = if. 
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We are now ready to give a complete set of axioms for the SP semantics 
for SAND attack trees. These axioms allow us to determine whether two visually 
distinct trees represent the same security scenario according to the SP semantics. 

Theorem 1. Given k, m > 0, and £ > 1, let X = X ly ..., Xf, Y = Yj,..., Yu, 
and Z = Z\,, Z m be sequences of variables. Let Sym^ be the set of all bijections 
from {1, ...,£} to itself. The following set of equations over Tj AND , denoted by 
Eg-p, is a complete set of axiom^for the SP semantics for SAND attack trees. 


0R(Yi,...,F?) = 0R(Y CT(1) ,...,y (TOT ), Vo-eSym^ (E ± ) 

AND(yi, ...,Y e ) = AND(y a(1) ,..., Y ctW ), Va € Sym £ (E 2 ) 

0R(X, 0R(F)) = 0R(A, F) (E 3 ) 

and(x, and(F)) = and(Z,F) (s 4 ) 

SAND (X,S AND (Y),Z) = SAND(X,F,Z) (E 4 >) 

0R(A) = A (E 5 ) 

AND(A) = A (E 6 ) 

SAND (A) = A (E 6 ') 

AND(X, DR(F)) = 0R(AND(F, Yl), ..., AND(A, Ye)) (E w ) 

sand(X,or(F),F) = or(sand(X,Yi,F),...,sand(X,Y^,F)) (s 10 /) 

0R(T,T,X) = 0R(T,X). (S n ) 


The numbering of the axioms in E$v corresponds to the numbering of the axioms 
for the multiset semantics for standard attack trees, as presented in mi. while 
new axioms (involving SAND) are marked with primes. 

Proof. The proof of this theorem follows the same line of reasoning as the proofs 
of Theorems 4.2 and 4.3 of Gischer [7], where series-parallel pomsets are axioma- 
tized. To prove the theorem, we remark that SP graphs form a visual representa¬ 
tion of series-parallel partially ordered multisets (SP pomsets). A complete, finite 
axiomatization of pomsets under concatenation, parallel composition and union 
has been provided in [7] , where sets of series-parallel pomsets have been used to 
represent processes. In our case, sets of series-parallel pomsets (i.e., sets of SP 
graphs) represent attack trees constructed using AND (having the same proper¬ 
ties as the parallel composition of processes), SAND (having the same properties 
as concatenation), and DR (having the same properties as choice). The set E$v 
corresponds to the axioms from [7]. The axioms involving the identity elements 
(i.e., 1 - the empty pomset, and 0 - the empty process) have been omitted 
because they can only be used for transforming processes involving 0 or 1 and 
such identity elements do not exist in the case of attack trees. Furthermore, our 
axioms are written using unranked operators contrary to the binary operators 
of concatenation, parallel composition, and choice. 

□ 

5 Note that the axioms are in fact axiom schemes. The operators OR, AND and SAND 
are unranked, representing infinitely many k -ary function symbols (k > 1). 
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4.2 SAND Attack Trees in Canonical Form 


Let [•] be a semantics for (SAND) attack trees. A complete axiomatization of 
[•] can be used to derive a canonical form of trees interpreted with [■]. Such 
canonical forms provide the most concise representation for equivalent trees and 
are the natural representatives of equivalence classes defined by [■]. 

When SAND attack trees are interpreted using the SP semantics, their canon¬ 
ical forms consist of either a single basic action, or of a root node labeled with 
OR and subtrees with nested, alternating occurrences of AND and SAND nodes. 
Canonical forms correspond exactly to the sets of SP graphs labeled by B and 
they depict all attack alternatives in a straightforward way. 

Canonical representations of SAND attack trees under the SP semantics can be 
defined using the complete set of axioms Esv- By orienting the equations (S 3 I, 


(S 4 I, ( E 41 ), (E 5 ), (E 6 I, (Eq< ), (S 10 l, (Sio'l, and (E 11 \ from left to right, we 


obtain a term rewriting system, denoted by Rsv- The canonical representations 
of SAND attack trees correspond to normal forms with respect to Rsv ■ In the rest 
of this section we show that the normal forms with respect to Rsv are exactly 
the terms generated by the following grammar, where k > 2 and b £ B 


N::= C | 0R(C 1 ,..., G k ) for Q ± Cj if * ± j (3) 

C ::= A\S 

4::= 6| AND(Si,...,S fc ) 

S ::= b | SAND(4 1 ,...,^ fc ). 


The non-terminal A produces all trees that consist of a single basic action or 
being a nested alternation of AND and SAND operators, where the outer operator 
is AND. Similarly, S produces all such trees where the outer operator is SAND. The 
non-terminal C generates the two previously described types of trees. Finally, N 
combines the trees generated by C using the OR refinement. We denote the sets 
of terms generated by N , C, A, and S, by Tjv, Tc, Ta, and T 5 , respectively. 

We first observe that the terms generated by the non-terminal N correspond 
exactly to all sets of SP graphs labeled by the elements of B. 

Lemma 1. The restriction of function [.J^p to TV is a bijection from T n to 
Vi'Asv)- 

Proof. The proof consists of two steps. First we prove that the terms from Tp 
exactly correspond to SP graphs, after which we extend this result to the corre¬ 
spondence between Tjv and the sets of SP graphs. 

1 . |.]sp is a bijection from Tc to Gsv- 

For injectivity we prove by induction that [[CiJsp = [C2J.SP implies C± = C2. 
Given that for every t £ Tq the set [tflsp contains a single SP graph, we 
abuse notation and refer to [t]sp as the SP graph contained in [tflsp. Let 

us assume that Ci is a basic action b, then [Cijsp is a single edge graph 
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it follows that C 2 = b considering the edge labels preservation property of 
two isomorphic SP graphs. Let us consider now that C\ = AND(5' 1 1 , • • • , ) 

for some k > 2, which means that [Ciflsp = JS'iJsp || ••• || [SjJlsp- Given 
that [Gijjsp = [Cbjsp, for every i £ {1, • • • ,k}, [Cbjsp contains a subgraph 
Gi which is isomorphic to [S/Jsp. Thus, considering that [S/Jsp is either a 
basic action or a sequential composition, we have that = Gi || • • • | 

Gfc and, according to grammar C 2 = AND(5f, • • • , S k ), for some terms 
Sj 2 , • • • , S% £ Tg. By the induction hypothesis, it follows that [S’/Jsp = Gi = 
[£ 2 ]sp implies 5/ = Sf , which leads to Gi = G 2 . A similar proof can be 
obtained for the case where Gi = SAND(Aj, • • • , A]f). 

Surjectivity follows from the fact that every SP graph has a unique (modulo 
associativity) decomposition in terms of the operators for sequential and 
parallel composition. Such a decomposition naturally corresponds to terms 
from T c- 

2 . [.Jsp is a bijection from T# to V(&sp)- 

For injectivity, we assume that pViJsp = [[A^Jsp. This implies that the sets 
d-^ijsp an d have the same size and the same elements. If this size is 

1 , then they both contain the same element, which uniquely corresponds to a 
term G, so N\ = C = IV 2 . If the size of the sets is larger than 1, then A,; are of 
the form 0R(G£,..., Cfc), for i £ {1,2}. Since = [[A^Jsp, the elements 

of these two sets are pairwise identical. Moreover, by definition, all arguments 
in Ni are different, which implies k\ = . From the previous item, it follows 

that the elements of pVjJsp correspond uniquely to C{,..., Cfc. From the 
pairwise equality between the arguments of the two terms, it follows that Ai 
and N '2 are identical. 

For surjectivity, let {Gi,..., G&} be a set of SP graphs. It follows from the 
previous item that there exist trees C\..... C \, such that [GJsp = Gi, for 
i £ {1,..., k}. This implies that {Gi,..., G^} = [0R(Ci,..., Ck)}sp, which 
finishes the proof of surjectivity. 

□ 

Lemma[l]shows that the grammar ^ generates all SAND attack trees in canonical 
form. It remains to be proven that the set of trees generated by the grammar 
(§ is equal to the set of normal forms of the term rewriting system Rsv and 
that these normal forms are unique. 

Theorem 2. The term rewriting system Rsv is strongly terminating and con¬ 
fluent. 

Proof. We show that the term rewriting system Rsv is terminating and confluent 
with help of the grammar <§, in four steps. 

1. First, we show with standard methodology that the term rewriting system 
is terminating. We define the following norm which assigns natural numbers 
to terms: 

\b\ =1 

|0R(Xi,..., Xk)\ = |Xi| + ... + \X k \ + 2 

|AND(A” 1 ,..., Xk)\ =2-\X 1 \-...-\X k \ 

|SAND(AA,...,A' fc )|=2-|X 1 |-....|X fc | 


13 


2 . 


3. 


4. 


It can be easily verified that for every rewrite rule l —» r € Rsvi we have 
|/| > |r|. Consequently, there are no infinite reduction sequences, or, in other 
words, the term rewriting system is strongly terminating. Notice that be¬ 
cause we consider term rewriting modulo commutativity of OR and AND, we 
have to verify that the left-hand side and the right-hand side of equations 
( Ei I and ( E 2 I have equal norms m3- This is clearly the case. 

Now we prove that the terms produced by the grammar |3]) are exactly 
the normal forms with respect to Rsv- For the terms in TFc, none of the 
rewrite rules can be applied, because these terms do not contain OR, have no 
occurrences of AND containing an argument of type AND, have no occurrences 
of SAND containing an argument of type SAND, and do not contain operators 
with a single argument. We extend this to terms Tjv by observing that all 
OR operators occurring in such terms have at least two arguments and that 
all these arguments are different. 

Conversely, consider a term t in normal form that contains an OR operator. 
Then t = OR (fy,...,t n ), where the f, do not contain an OR operator, else 
(£3 I, (Ei o I, or (Eiqi I can be applied. It remains to show that normal form 


terms without occurrence of an OR operator are in Tc- Such terms are basic 
terms or have SAND or AND as their top-level operator. The last two cases 
are symmetric and we therefore only consider the case AND(fy,... ,t n ). We 
must show that each is a basic term or in the form ti = SAND(fy, ..., t' m ). 
Suppose not, then there exists a t t that has AND as its top-level operator. It 
follows that the term is not in normal form because ( jjfyj can be applied. 
The normal forms are unique. To show that the normal forms are unique, 
assume that Ni and N 2 are both normal forms for a SAND attack tree t. Since 
the rewrite system Rsv was constructed by orienting the axioms from E$v> 
we have that E$v Ni = N- 2 . This means that [./ViJsp = [A^Jsp. From 
bijectivity proven in Lemma ^ we obtain Ni = N 2 . 

Now that we have proven termination and uniqueness of normal forms, it 
immediately follows that the term rewriting system is confluent | 8 ). 

□ 


Example [5] illustrates the notion of canonical form for SAND attack trees. 
Example 5. The canonical form of the SAND attack tree t in Figure [T] is the tree 

t' = 0R^SAND(/fy, rsh, lobf), MD(ssh, rsa)^ 
shown in Figure [3] It is easily seen to be in normal form with respect to Rsv- 


4.3 SP Semantics as a Generalization of the Multiset Semantics 

Having a complete set of axioms for the SP semantics allows us to formalize 
the relation between SAND attack trees under the SP semantics and attack trees 
under the multiset semantics, denoted by J-]x- This is achieved by extracting a 
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become root 



ftp rsh lobf ssh rsa 


Fig. 3. SAND attack tree t' equivalent to SAND attack tree t from Figure [l] 


complete set of axioms for the multiset semantics for attack trees from the set 
E$v■ Let Em be the subset of axioms from E$v that do not contain the SAND 


operator, i.e., E M = {(£ 1 ), (£ 2 I, (£3 I, (£ 4 1, (£5 I, (E 6 I, (E w ), (En)}. 


Theorem 3. The axiom system Em is a complete set of axioms for the multiset 
semantics for attack trees. 


Proof. In m Theorem 4.9], a complete axiomatization of the multiset semantics 
for an extention of attack trees called attack-defense trees (ADTrees) is given. 
In the following, we call that axiomatization Eadt- ADTrees are a superset 
of attack trees. They may contain defender’s nodes modeled by the so called 
opponent’s functions and countermeasures. We claim that Em is a complete 
axiomatization of the multiset semantics for attack trees. Obviously if two attack 
trees are equal with respect to Em, then they are also equal with respect to 
Eadt- This is clear, because E M C Eadt- 

Conversely, we prove that if two attack trees are equal with respect to Eadt , 
they are equal with respect to Em- This follows from the following syntactical 
reasoning. Eadt contains function symbols which we call countermeasures. Ob¬ 
serve by inspecting the axioms of Eadt that if a countermeasure occurs at the 
left-hand side of an equation, then it also occurs at the right-hand side, and vice 
versa. Therefore, axioms (£’ 13 ), (£ 16 ), (£ 17 ), (£is), (£ 19 ), (£ 20 ) from E A dt can 
never be used in a derivation of equality of two standard attack trees. Further, 
observe that the remaining axioms (Eg) and (£ 12 ) from Eadt make use of oppo¬ 
nent’s functions. In these axioms, an opponent function occurs on the left-hand 
side if and only if it occurs on the right hand side. Thus these axioms are never 
used to equate two attack trees which do not contain opponent’s nodes. The 


remaining axioms are precisely (£ 11 , (£ 2 I, (£ 3 ), (£ 4 !, (E 5 ), (£ 6 ), (£10 I, (£n 


So, we can only use these axioms to derive equalities of attack trees with respect 
to Eadt , which implies that such a derivation is also possible using axioms from 

E M - □ 


By comparing the complete sets of axioms E$v and Em we obtain that two 
attack trees are equivalent under the multiset semantics if and only if they are 
equivalent under the SP semantics. This is formalized in the following theorem. 
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Theorem 4. SAND attack trees under the SP semantics are a conservative ex¬ 
tension of attack trees under the multiset semantics. 


Proof. Let t and t' be standard attack trees. Let and be their inter¬ 

pretation in the multiset semantics and [tflsp and [[f'JJsp be their interpretation 
in the SP semantics. We prove that [t].M = [t 7 ]m if and only if = [f'flsp. 

By Theorem[3] a complete axiomatization of the multiset semantics for attack 
trees consists of axioms pul), E 2 |), W 1 .. h , (TE^Ii, E 5 , E’g [) . (TeToI ) 7 d-Enl). The 


complete axiomatization of the SP semantic for SAND attack trees additionally 
contains axioms ( E 4 / 1 , (Eq’ I, and (Em I. Thus, every equivalence of attack trees 
under the multiset semantics is clearly an equivalence of SAND attack trees under 
the SP semantics. 

To see the converse, we show that the additional axioms do not introduce 
new equalities on standard attack trees. First inspect the three additional axioms 
and note that all of them contain the SAND operator. 

Next, observe that for all axioms, the set of variables occurring on the left- 
hand side is equal to the set of variables occurring on the right-hand side. Thus, 
there is no axiom eliminating all occurrences of a variable. In particular, we claim 
that all axioms transform terms containing ap-ary SAND expression, where p > 2, 
into terms containing a 9 -ary SAND expression, for some q > 2. This is evident 
for equations without the SAND operator (since no variables are eliminated) and 
remains to be shown for equations (E 4 / ), (I Eg /I), and (E m I. Axiom (I Eg /I) intro¬ 


duces and removes unary SAND, but does not modify the single variable A and 
therefore satisfies the claim. The arities of the two left-hand side SAND opera¬ 
tors in equation ( E 4/1 are l and k + l + m and the arity of the right-hand side 


operator is k + l + m, where k. m > 0 and l > 1. Since 1 <l<k + l + m and 
both sides contain a SAND operator of arity k + l + m, if either of the two sides 
contains a SAND operator with two or more arguments, then so does the other 
side. Finally, since l > 1, the arity of the SAND operator on the left-hand side 
of equation (Em I is equal to the arities of the SAND operators on its right-hand 


side and at least one SAND operator occurs on the right-hand side. 


We can now show that none of the three axioms (|EV|) , (|E 6 /|), (|Em| introduces 

introduces 


new equalities on standard attack trees. In particular, axiom (Eg/ 


and removes unary SAND, but this does not introduce new equalities on standard 


attack trees. Equations (E 4 / 1 and (Em I match unary SAND, but require a further 


SAND with 2 or more arguments to add a new equality. Since, by the above 
claim, no p-ary SAND for p > 2 can be introduced with any of the equations, the 
additional equations do not introduce new equalities on standard attack trees. 

□ 


5 Attributes 

Attack trees do not only serve to represent security scenarios in a graphical way. 
They can also be used to quantify such scenarios with respect to a given parame¬ 
ter, called an attribute. Typical examples of attributes include the likelihood that 


16 
























the attacker’s goal is satisfied and the minimal time or cost of an attack. Schneier 
described j26j an intuitive bottom-up algorithm for calculating attribute values 
on attack trees: attribute values are assigned to the leaf nodes and two func¬ 
tion^] (one for the DR and one for the AND refinement) are used to propagate 
the attribute value up to the root node. Mauw and Oostdijk showed m that 
if the binary operations induced by the two functions define a semiring, then 
the evaluation of the attribute on two attack trees equivalent with respect to 
the multiset semantics yields the same value. This result has been generalized 
to any semantics and attribute that satisfy a notion of compatibility [I3b We 
briefly discuss it for SAND attack trees at the end of this section. We start with 
a demonstration on how the bottom-up evaluation algorithm can naturally be 
extended to SAND attack trees. 

An attribute domain for an attribute A a on SAND attack trees is a tuple 
D a = (V a , V a , A a , <0 Q ) where V a is a set of values and V a , A a ,§ a are families 
of fc-ary functions of the form V a x ■ ■ ■ x V a —» V a , associated to OR, AND, 
and SAND refinements, respectively. An attribute for SAND attack trees is a pair 
A a = (D a ,fl a ) formed by an attribute domain D a and a function /3 a : B — >■ V a , 
called basic assignment for A a , which associates a value from V a with each basic 
action b £ B. 

Definition 6. Let A a = ((V a , V a , A a , 0 a ), Pa) be an attribute. The attribute 
evaluation function a : T SAND —► V a which calculates the value of attribute A a for 
every SAND attack tree t £ T S amd is defined recursively as follows 



Pa(t) 


if t = 

= b, b £ B 


^ a. * 

(a(fi),.. 

■,a(t k )) 

if t = 

= 0R(fi,.. . 

,tk) 

^ a. 

(a(ti),. 

■ • ,a(t k )) 

if t = 

= AND(fi, . . 

■,tk) 

OcA 

[ 01 (h),.. 

■,a(t k )) 

if t - 

= SAND(t 1 ,. 

•• 5 ik) 


The following example illustrates the bottom-up evaluation of the attribute 
minimal attack time on the SAND attack trees given in Example [l] 

Example 6. Let a denote the minimal time that the attacker needs to achieve her 
goal. We make the following assignments to the basic actions: ftp H > 3, rsh i-> 5, 
lobf i—> 7, ssh i—^ 8, rsa H > 9. Since we are interested in the minimal attack time, 
the function for an OR node is defined by V a (xi ,..., x k ) = mimfaq,..., Xk}- The 
function for an AND node is A a (aq,... , aq) = max{xi,... ,Xk}, which models 
that the children of a conjunctively refined node are executed in parallel. Finally, 
in order to model that the children of a SAND node need to be executed sequen¬ 
tially, we let Oa(^i) • • • > Xk) = Xq=i x i- According to Definition [fi] the minimal 
attack time for our running scenario t is 

Va(<>a(0a(3,5),7), (8,9)) = min (s(E(3,5), 7),max(8,9)) =9. 


These are actually families of functions representing infinitely many k -ary function 
symbols, for all k > 2. 
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In the case of standard attack trees, the bottom-up procedure uses only two 
functions to propagate the attribute values to the root - one for conjunctive 
and one for disjunctive nodes. This means that the same function is employed to 
calculate the value of every conjunctively refined node, independently of whether 
its children need to be executed sequentially or can be executed simultaneously. 
Evidently, with SAND attack trees, we can apply different propagation functions 
for AND and SAND nodes, as in Example [6] Therefore, SAND attack trees can be 
evaluated over a larger set of attributes, and hence may provide more accurate 
evaluations of attack scenarios than standard attack trees. 

To guarantee that the evaluation of an attribute on equivalent attack trees 
yields the same value, the attribute domain must be compatible with a consid¬ 
ered semantics m ■ Our complete set of axioms is a useful tool to check for 
compatibility. Consider an attribute domain D a = (V a , V a , A Q , Q a ), and let a 
be a mapping <r = {DR i —> V a ,AND i—»A a ,SAND i—»• Oa}- Guaranteeing that D a 
is compatible with a semantics axiomatized by E amounts to verifying that the 
equality a(l) = cr(r) holds in V a , for every axiom l = r £ E. It is an easy ex¬ 
ercise to show that the attribute domain for minimal attack time, considered in 
Example [6] is compatible with the SP semantics for SAND attack trees. 


6 Conclusions 


We have formalized the extension of attack trees with sequential conjunctive 
refinement, called SAND, and given a semantics to SAND attack trees in terms of 
sets of series-parallel graphs. This SP semantics naturally extends the multiset 
semantics for attack trees from [18]. We have shown that the notion of a complete 
set of axioms for a semantics and the bottom-up evaluation procedure can be 
generalized from attack trees to SAND attack trees, and have proposed a complete 
axiomatization of the SP semantics. 

A number of recently proposed solutions focus on extending attack trees with 
defensive measures |25H3] . These extensions support reasoning about security 
scenarios involving two players - an attacker and a defender - and the interaction 
between them. In future work, we intend to add the SAND refinement to such 
trees. Afterwards, we plan to investigate sequential disjunctive refinement, as 
used for instance in [2] . Our goal is to propose a complete formalization of trees 
with attack and defense nodes, that have parallel and sequential, conjunctive 
and disjunctive refinements. The findings will be implemented in the software 
application ADTool m- 
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